VMware Networking Community
LJMCP
Enthusiast
Enthusiast
‎11-09-2017 01:56 PM
Jump to solution

vCNS to NSX Upgrade - Trend Deep Security. Guest Introspection AgentVM Required

Hi,

I am planning an upgrade of vShield/vCNS (5.5.4) to NSX (6.2.8, then 6.3.4).  We use AV/endpoint protection only.  We currently have TrendMicro DSM 9.6 deployed and DSVAs deployed to each ESXi host.

I am unclear on whether I have to deploy the Guest Introspection agent VMs after NSX Manager upgrade.  Are these not the same as the DSVAs? 

In testing, after I upgraded vCNS to NSX Manager, I see under Service Deployments that an upgrade is available for Guest Introspection.  I tried upgrading a test ESXi cluster that already had DSVAs deployed and did see errors on the GI agentvms after deployment.

Thanks!

Lyle

1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee
‎11-15-2017 07:51 AM
Jump to solution

That is correct - if you look at the last screenshot for vib's it clearly shows what is the purpose of the VIB. During initial discussion i was under the impression you are leveraging other NSX services(Hence Host preparation was mentioned) -> If you are using NSX for managing Guest Introspection for anti-virus offload capability only we do not need to prepare the hosts

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

0 Kudos
8 Replies
Sreec
VMware Employee
VMware Employee
‎11-09-2017 11:58 PM
Jump to solution

You need to follow below steps

1. Upgrade VCNS to NSX

2. Prepare the ESXI host

3. If you have any Edges,upgrade the same(You must upgrade the edge to NSX compatible prior to NSX 6.3.4 upgrade)

4. Upgrade EndPoint to Guest Introspection service.

5. If your partner solution, in this case DSVA support upgraded NSX/ESXI/VC versions-no need of any upgrade. Otherwise you need to upgrade the partner solution as well. Do check partner solution guide for detailed procedure. -> Also do check VMware HCL VMware Compatibility Guide - Networking and Security

6. VMware Tools must be installed on the guest virtual machines as this includes the Guest Introspection driver

  • Guest Introspection VM and DSVA are not same - Guest Introspection installs VIB and Service VM per host( Done at the cluster level)
  • DSVA VM will be also one per host
Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Techstarts
Expert
Expert
‎11-12-2017 10:58 PM
Jump to solution

I have same question but we running McAfee MOVE Agentless

we are planning to upgrade vCNS to NSX Manager.

question which I have is - how do I know if Security Virtual Appliance (SVA) is compatible with NSX Manager

after we upgrade Guest Introspection services appliance, the upgrade guide is requesting to check with vendor.

With Great Regards,
0 Kudos
Sreec
VMware Employee
VMware Employee
‎11-12-2017 11:10 PM
Jump to solution

This is one way of checking from VMware HCL site  . Select the partner name,ESXI version,API integration and solution along with NSX version. Other than this we will have to check the vendor to know the supported version.

Also do check

McAfee Corporate KB - Supported platforms, environments, and operating systems for Management for Op...

pastedImage_1.png

VMware HCL

pastedImage_0.png

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Techstarts
Expert
Expert
‎11-13-2017 05:19 AM
Jump to solution

Thank you so much Sreec

With Great Regards,
0 Kudos
LJMCP
Enthusiast
Enthusiast
‎11-14-2017 07:42 AM
Jump to solution

Thanks so much for info Screec! This upgrade is for AV/Endpoint only; no other networking services currently provided by installed vCNS (ie Edge).

For step 2, Prepare the ESXi host... what is this doing exactly.  This is done from NSX manager?

For step 4, this will upgrade epsec-mux VIB to some other VIB as well as deploy VMware's Guest Introspection service VM on each host?

0 Kudos
Sreec
VMware Employee
VMware Employee
‎11-14-2017 11:03 AM
Jump to solution

Appreciate for sharing the feedback. Smiley Happy

For step 2, Prepare the ESXi host... what is this doing exactly.  This is done from NSX manager?

This task is done from NSX Plugin which will be populated in vCenter Server Webclient once after NSX+VC registration . When you prepare the host based on the respective ESXI version below VIB's get pushed via EAM.

pastedImage_0.png

For step 4, this will upgrade epsec-mux VIB to some other VIB as well as deploy VMware's Guest Introspection service VM on each host?

epsec-mux will be also upgraded as per my understanding , you can search for esxcli software vib get --vibname epsec-mux

Note: VM's will not be protected during the upgrade process.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
LJMCP
Enthusiast
Enthusiast
‎11-15-2017 06:18 AM
Jump to solution

I don't believe Step 2 is necessary for those only doing end-point protection.

I can confirm that after upgrading Guest Introspection, epsec-mux 6.5.0esx60-4885300 VIB was deployed to the ESXi host.

0 Kudos
Sreec
VMware Employee
VMware Employee
‎11-15-2017 07:51 AM
Jump to solution

That is correct - if you look at the last screenshot for vib's it clearly shows what is the purpose of the VIB. During initial discussion i was under the impression you are leveraging other NSX services(Hence Host preparation was mentioned) -> If you are using NSX for managing Guest Introspection for anti-virus offload capability only we do not need to prepare the hosts

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos